accelint-onboard-openspec
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE]: The skill performs automated scanning of project-specific metadata files (e.g., package.json, tsconfig.json, .nvmrc) to infer the technology stack. This behavior is restricted to local file reading and is a core functional requirement of the onboarding process.
- [PROMPT_INJECTION]: The skill ingests untrusted data from the local codebase (e.g., project descriptions or domain concepts) which could theoretically be used for indirect prompt injection. However, the risk is mitigated by a mandatory human-in-the-loop review step in Phase 4, where the agent must display the generated configuration and wait for user confirmation before writing to disk.
Audit Metadata